Table of Contents

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows. It also includes agentless monitoring for use with for example Cisco, HP or Juniper hardware.

This tutorial covers the installation of the OSSEC server, the standard OSSEC Web UI and the Analogi dashboard on Ubuntu 12.04. It also covers OSSEC setup with MySQL support, including a Makefile bugfix. Last but not least it shows you how to install the OSSEC agent on a *NIX system.

This tutorial is written for an ubuntu 12.04 OSSEC server, but can be easily adapted to other *NIX operating systems. It only covers basic OSSEC client/server configuration, not automatic blocking or comprehensive configuration settings. It gets you started, the rest is available in the documentation: http://www.ossec.net/doc/

cd ../
./install.sh
** For installation in English, choose [en].
OSSEC HIDS v2.7 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).
- System: Linux vps1.sparklingclouds.nl 3.2.0-042stab076.8
- User: root
- Host: vps1.sparklingclouds.nl
-- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local, hybrid or help)? server
- Server installation chosen.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]:
- Installation will be made at /var/ossec .
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [y]:
- What's your e-mail address? ossec@example.org
- We found your SMTP server as: mail.raymii.org.
- Do you want to use it? (y/n) [y]: y
--- Using SMTP server: mail.raymii.org.
3.2- Do you want to run the integrity check daemon? (y/n) [y]:
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
- Running rootcheck (rootkit detection).
3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response
- Do you want to enable active response? (y/n) [y]:
- Active response enabled.
- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.
- Do you want to enable the firewall-drop response? (y/n) [y]:
- firewall-drop enabled (local) for levels >= 6
- Default white list for the active response:
- 205.185.112.68
- 205.185.112.69
- Do you want to add more IPs to the white list? (y/n)? [n]:
3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]:
- Remote syslog enabled.
3.6- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/auth.log
-- /var/log/syslog
-- /var/log/mail.info
-- /var/log/dpkg.log
- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .
--- Press ENTER to continue ---
5- Installing the system
- Running the Makefile
INFO: Little endian set.
*** Making zlib (by Jean-loup Gailly and Mark Adler) ***
[...]
*** Making os_xml ***
[...]
*** Making os_regex ***
[...]
*** Making os_net ***
[...]
*** Making shared ***
[...]
*** Making config ***
[...]
*** Making os_maild ***
[...]
*** Making os_dbd ***
[...]
*** Making os_csyslogd ***
[...]
*** Making agentlessd ***
[...]
*** Making os_execd ***
[...]
*** Making analysisd ***
[...]
*** Making logcollector ***
[...]
*** Making remoted ***
[...]
*** Making client-agent ***
[...]
*** Making addagent ***
[...]
*** Making util ***
[...]
*** Making rootcheck ***
[...]
*** Making syscheckd ***
[...]
*** Making monitord ***
[...]
*** Making os_auth ***
[...]
- System is Debian (Ubuntu or derivative).
- Init script modified to start OSSEC HIDS during boot.
- Configuration finished properly.
- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start
- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
( http://www.ossec.net/main/support/ ).
More information can be found at http://www.ossec.net
--- Press ENTER to finish (maybe more information below). ---
- In order to connect agent and server, you need to add each agent to the server.
Run the 'manage_agents' to add or remove them:
/var/ossec/bin/manage_agents
More information at:
http://www.ossec.net/en/manual.html#ma

We use the web UI Beta because there are a lot of errors (like broken search) in the stable 0.3 version. We also set the correct permissions on the tmp/ folder. Afterwards the web ui is visible at http://hostname/ossec/.

Installing Analogi Web Dashboard

The Analogi dashboard is a nice and informative dashboard around OSSEC, which provides more visual information then the standard Web UI. The standard Web UI has better search functions, the Dashboard can be used for example on a Wall Mounted monitor and such.

Installation consists out of cloning the git repo and entering the settings file:

Client OSSEC config

Adding a client to OSSEC is quite simple. First you add the client to the server, which gives you a key. Then you add this key to the client, edit the config file on the client and that's it.

First we need to generate a key on the OSSEC server for this client. We do this by running /var/ossec/bin/manage_agents, option A, then entering the hostname, IP and ID for the client we want to add. Do these steps on the OSSEC server!:

That's it. Repeat these steps for any client that needs to be added. There are both puppetfiles and chef cookbooks to manage this process.

Bonus Tips

Here are a few bonus tips/config examples for OSSEC:

Ignoring rules

To very simply ignore rules based on rule id, add them to the XML file located in /var/ossec/rules/local_rules/xml, either on the ossec client for one machine or the ossec server to ignore on all machines: